Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.

The security flaw is a remote code execution vulnerability (CVE-2014-1776) that affects versions of IE6 through IE11, which in total accounted for 26.25% of the browser market in 2013. 

The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11. 

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday. 

Microsoft also issued a security advisory on Saturday and said they were working with partners in its Microsoft Active Protections Program (MAPP) to extend broader protections to customers as soon as possible.

If successfully exploited, an attacker could gain the same user rights on the impacted system as the current user, Microsoft said. Accounts configured with fewer rights on the could be less impacted than users who operate with administrative privilages.

FireEye has named the campaign “Operation Clandestine Fox,” but has shared very little details other than saying the group behind the exploit has been the first to have access to a select number of browser-based 0-days in the past.

FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

“They have a number of backdoors including one known as Pirpi that we previously discussed here,” the researchers wrote. “CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.” 

“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray,” FireEye explained. “The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”

Because the attack leverages Adobe Flash, users who do not have Flash installed or have the Flash plugin for IE disabled, will be protected. Additionally, several versions of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will break the exploit.

Additional technical details are available from FireEye. Microsoft also has provided some mitigation information. 

Related: ASLR Bypass Techniques Appearing More Frequently in Attacks

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management
• Vulnerabilities
• Data Protection

Oracle issued an advisory today listing both security updates and detailing what is known and unknown about the Heartbleed vulnerability’s impact on Oracle products.

“The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products,” Oracle noted in its advisory. “Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160.  In other words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported as vulnerable to CVE-2014-016.”

The products known to be vulnerable include and for which there are patches are: MySQL Connector/C 6.1.0-6.1.3; MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6 and 5.3.2; MySQL Enterprise Backup 3.10.0; MySQL Enterprise Monitor 2.3.13-2.3.15 and 3.0.0-3.0.8; MySQL Enterprise Server 5.6.11-5.6.17 and MySQL Workbench 6.1.4 and earlier. Other products known to be vulnerable that have patches available are: Oracle Big Data Appliance; Oracle Communications Interactive Session Recorder 4.0.0 and later; Oracle Communications Network Charging and Control 5.0.1; Oracle Communications Session Monitor Suite 3.3.40 and 3.3.50; Oracle Linux 6; Oracle Mobile Security Suite; Oracle Virtual Compute Appliance Software; and Solaris 11.2.

There are other products that are considered likely to be vulnerable but have no fixes, such as Java ME – JSRs and Optional Packages and Oracle Communications Session Delivery Management Suite NNC 7.3. Several other products, including Java CAPS 6.2 and Siebel CRM, are considered by Oracle to be potentially vulnerable but are still investigation. 

“Oracle’s Cloud security and development teams are aware of the publicly disclosed vulnerability in certain versions of OpenSSL (a.k.a. CVE-2014-0160; or ‘Heartbleed’),” according to the advisory. “Oracle is investigating the implications of this issue across the Oracle stack.”

“The Oracle Cloud uses a “defense in depth” approach to security, which provides risk mitigation due to layered controls,” Oracle noted. Oracle has assessed that the infrastructure, systems and applications used to provide Oracle Cloud services (“Cloud infrastructure”) were not at risk from this vulnerability, due to Oracle’s network architecture and use of SSL accelerators that have not been reported as vulnerable to CVE-2014-0160. Furthermore, Oracle has assessed our Cloud infrastructure using a number of automated and manual tests and continues to believe that it is not currently at risk from the CVE-2014-0160 vulnerability.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Attackers Exploit Heartbleed Vulnerability to Circumvent Multi-factor Authentication on VPNs and Hijack Active User Sessions

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged earlier this month, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.

Originally, one of the key concerns about the vulnerability was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed. As it turns out, through an experiment setup by CloudFlare, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit. 

Now, according to researchers at Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. 

“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained in a blog post. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”

The victim was an organization located in the United States, a FireEye spokesperson told SecurityWeek.

According to Mandiant, the following evidence proved the attacker had stolen legitimate user session tokens:

1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.

2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.

3. The timestamps associated with the IP address changes were often within one to two seconds of each other.

4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.

5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.

Additional details and remediation advice are available from Mandiant.

The vulnerability is “catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

While it’s perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.

It’s very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”

The NSA has denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokeswoman said.

Earlier this week, Canadian police arrested and charged a 19-year-old man for stealing the data of 900 Canadian taxpayers’ data through an attack that exploited the Heartbleed bug.

Tags:

• Network Security
• NEWS & INDUSTRY
• Vulnerabilities

Yahoo’s recently-appointed VP of Information Security and CISO said that, as of this week, Internet traffic moving between Yahoo’s data centers is now fully encrypted.

Alex Stamos, who joined the company last month and has been tasked with securing Yahoo’s online products, provided a status update Wednesday on the company’s initiatives to protect users and their data.

The efforts by Yahoo are the latest as Internet and technology firms scramble to boost their security efforts and up encryption after Edward Snowden began to leak classified details on the scope of US government spying.

According to Stamos, the company has accomplished the following:

• Made Yahoo Mail more secure by making browsing over HTTPS the default.

• Has enabled encryption of mail between its servers and other mail providers that support the SMTPTLS standard.

• The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.

• Implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many the company’s global properties.

He also said that users can initiate an encrypted session for a variety of the company’s news and media services by typing “https” before the site URL in their web browser.

“One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos wrote in a blog post. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”

A new, encrypted, version of Yahoo Messenger will be available in the months ahead, Stamos said.

“In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months,” Stamos continued. “This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.” 

Late last month, Google announced that its Gmail service would use added encryption to protect against eavesdropping and keep messages secure.

In December 2013, a group of US-based Internet giants called on Washington to overhaul its surveillance laws. In an open letter to President Obama and Congress, the tech giants called on Washington to lead the way in a worldwide reform of state-sponsored spying.

In January, President Barack Obama announced plans to curtail the reach of massive phone surveillance sweeps by the NSA, but said bulk data collection must go on to protect America from terrorists.

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

Tags:

• Network Security
• NEWS & INDUSTRY
• Privacy